[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CodeIgniter <= 2.1.4 Session Decoding Vulnerability
- To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: CodeIgniter <= 2.1.4 Session Decoding Vulnerability
- From: Robin Bailey <Robin.Bailey@xxxxxxxxxxx>
- Date: Tue, 10 Jun 2014 15:38:32 +0000
Class Weak encryption
Remote Yes
Published 6th June 2014
Credit Robin Bailey of Dionach (vulns@xxxxxxxxxxx)
Vulnerable CodeIgniter <= 2.1.4
Session cookies created by the CodeIgniter PHP framework contain a number of
variables in a serialized PHP array. To prevent users from tampering with this
cookie two options are available: either an MD5 checksum is used or the cookie
is encrypted.
If the application is configured to encrypt the cookie, it will attempt to use
256bit AES from the Mcrypt PHP library. If this library is not available (note
that the library was not required, and was not mentioned in the framework
documentation) then it will silently fall back to using a custom XOR based
encryption.
Because the structure of the session cookie is known, and the cookie contains a
number of user-defined parameters (such as the UserAgent), it is possible to
decrypt the cookie by performing an offline brute-force attack to obtain the
(hashed) encryption key with keys of increasing length. Real world tests showed
that this takes between a few seconds and a few minutes.
Once the encryption key has been obtained, there are a number of attacks that
can be performed:
1. The session cookie can be decrypted, which may expose session variables.
2. The cookie is passed to an unserialize() call immediately after decryption,
so PHP object injection may be possible depending on the classes available
(note that the core CodeIgniter classes are not exploitable).
3. Session variables can be injected, which can lead to an authentication
bypass in some applications by injecting a "username" or "email" session
variable.
Full details of the vulnerability and proof of concept attack scripts are
available here:
http://www.dionach.com/blog/codeigniter-session-decoding-vulnerability
https://github.com/Dionach/CodeIgniterXor
After this issue was reported to the vendor (EllisLab), CodeIgniter 2.2.0 was
released that removes the XOR based encryption, and required Mcrypt if
encryption is used in the application. Note that this vulnerability can be
mitigated by installing Mcrypt, as the vulnerable code will no longer be used.
Timeline:
27/05/2014 Vulnerability identified
28/05/2014 Initial vendor contact
28/05/2014 Vendor response to contact
29/05/2014 Vulnerability disclosed to vendor
29/05/2014 Vendor confirms vulnerability
05/06/2014 Vendor releases patch
06/06/2014 Public disclosure of vulnerability
______________________________________________________________________
Disclaimer: This e-mail and any attachments are confidential.
It may contain privileged information and is intended for the named
addressee(s) only. It must not be distributed without Dionach Ltd consent.
If you are not the intended recipient, please notify the sender immediately and
destroy this e-mail.
Any unauthorised copying, disclosure or distribution of the material in this
e-mail is strictly forbidden. Unless expressly stated, opinions in this e-mail
are those of the individual sender, and not of Dionach Ltd.
Dionach Ltd, Greenford House, London Road, Wheatley, Oxford OX33 1JH Company
Registration No. 03908168, VAT No. GB750661242
______________________________________________________________________